Conferences for 2011

One of the reasons the Ruby and Rails community is so strong and passionate is because of the awesome regional conferences that happen all around the globe on a yearly basis. Previously on this blog I’ve gone through the list and highlighted a bunch, but since then Ruby There has popped up.

So instead of listing out all the conferences I’m just going to send you over to RubyThere.com.

If you dig the Ruby and Rails community I highly recommend you attend one of these events and maybe volunteer to help or even sponsor if you can afford to. It’s hard work putting on a conference, and most of the organizers do it for the love of the community (and little to no compensation).

Rails for Zombies

This morning my team over at Envy Labs released a free online tutorial called Rails for Zombies. The website combines screencasts with in-browser coding to provide an interactive learning experience teaching the basics of Ruby on Rails.

Rails for Zombies

Learning Rails for the first time should be fun, and Rails for Zombies allows you to get your feet wet without any setup or configuration. At the moment the application has five episodes. Each episode consists of a single screencast followed by a group of exercises which must be completed before moving forward. Once you complete all the labs, you unlock a hidden video which shows you where to go to continue your Rails learning.

If you have any friends who need to get started with Rails, hopefully this will help.

Rails 3.0.3: Faster Active Record plus fixes

How about some free speed? Well, here you go. Rails 3.0.3 includes a much faster version of Active Record that reclaims the performance lost when we went from Rails 2.3.x to 3.x and then some. Aaron Patterson has done a phenomenal job benchmarking, tweaking, and tuning the ARel engine that underpins Active Record 3 and the result is Teh Snappy.

You can read more about Aaron’s work in his ARel 2.0 write-up. If you dare, you can also have a look at his RubyConf slides that went over the rewrite and speed-up in even greater detail (warning: there are slides of boys kissing!).

In addition to the free speed, we’ve also included a truckload of minor fixes. So everything just works better and faster. What more can you ask for? Oh, that it’s a drop-in replacement for Rails 3.0 — there are no API changes. You got it.

See all the changes on Github. Install the latest version using gem install rails. Or bind yourself to the v3.0.3 tag.

Enjoy!

Note: Active Record 3.0.3 is mistakenly reporting its tiny version as 1 instead of 3. This has no impact on anything you do unless you were specifically checking that tiny version. But if it bothers you lots, it’s fixed on the 3-0-stable branch.

Security Vulnerability in Nested Attributes code in Ruby On Rails 2.3.9 and 3.0.0

There is a vulnerability in the nested attributes handling code in some versions of Ruby on Rails. An attacker could manipulate form parameters and make changes to records other than those the developer intended. This vulnerability has been assigned the identifier CVE-2010-3933.

  • Versions Affected: 3.0.0, 2.3.9
  • Not affected: Versions earlier than 2.3.9 and applications which do not use accepts_nested_attributes_for
  • Fixed Versions: 3.0.1, 2.3.10

Impact

An attacker could change parameter names for form inputs and make changes to arbitrary records in the system. All users running an affected release should upgrade immediately.

Releases

The 3.0.1 and 2.3.10 releases are available at the normal locations. The 3.0.1 release consists solely of 3.0.0 with the security issue fixed, 3.0.2 will follow shortly and include other bugfixes as well as this fix. 2.3.10 is a regular release in the 2.3 series.

Workarounds

There are no feasible workarounds for this issue.

Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

Please note that only the 2.3.x and 3.0.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible.

Credits

Thanks to Matti Paksula and Juha Suuraho of Enemy & Sons Ltd for reporting the vulnerability to us and helping verify the fix.

RubyAndRails 2010

RubyEnRails returns this year bigger and better as RubyAndRails 2010, running from 21-22 October in Amsterdam. Talks are in English and entry is just €149,00.

The speaker lineup is shaping up great. Check out the program and sign up now.

RubyAndRails has been run by volunteers for five years now, growing from a friendly regional gathering to an even friendlier all-European event. The Rumble is back this year, too!

Santiago Pastorino joins Rails Core

It’s my pleasure to announce that Santiago Pastorino has joined the Rails Core group. Santiago only started contributing to Rails this year, but has been on fire ever since his first patches were accepted. He’s managed to rack up 380 commits since the beginning of the year.

Santiago is one of the lead developers and co-founder of WyeWorks from Montevideo, Uruguay. He started working full-time with Ruby and Rails in the middle of 2008 after years of Java development. Since early 2010 he is trying to work full-time on OSS and sporadically writes on his company’s blog.

Congratulations!

Ruby on Rails 2.3.9 Released

We’ve released Ruby on Rails 2.3.9 (gem and git tag) to extend the 2.3.8 bridge a few steps closer to Rails 3 and Ruby 1.9. If your app runs on Rails 2.3.9 without deprecation warnings, you’re looking good for an upgrade to Rails 3.

Deprecations

  • Changes i18n named-interpolation syntax from the deprecated Hello to the 1.9-native Hello %{name}.
  • Replaces Kernel#returning with Object#tap which is native to Ruby 1.8.7.
  • Renames Array#random_element to Array#sample which is native to Ruby 1.9.
  • Renames config.load_paths and .load_once_paths to the more accurate config.autoload_paths and .autoload_once_paths.

Along with these deprecations come a broad array of bugfixes and minor tweaks. Read the commit log for the full story.

Onward to 3.1!

Appreciate Rails 3 with charity

Rails 3.0 is a gift from all of us who’ve worked on it to anyone who wants to build something. If you like our gift, please show it by donating to the Rails 3.0 release charity: Charity:Water. We’ve started a campaign to raise $100,000 in the name of Rails 3.0, which will give 5,000 people access to clean water if we make it.

Charity:Water is a fantastic charity (and not just because they run on Rails!). You’d make everyone working on Rails proud by helping us reach our lofty goal.

Donations can be made at http://mycharitywater.org/rails3.

Rails 3.0: It's ready!

Rails 3.0 has been underway for a good two years, so it’s with immense pleasure that we can declare it’s finally here. We’ve brought the work of more than 1,600 contributors together to make everything better, faster, cleaner, and more beautiful.

This third generation of Rails has seen thousands of commits, so picking what to highlight was always going to be tough and incomplete. But here’s a choice selection of major changes for Rails 3:

New Active Record query engine
Active Record has adopted the ARel query engine to make scopes and queries more consistent and composable. This makes it much easier to build complex queries over several iterations. We also delay the actual execution of the query until it’s needed. Here’s a simple example:

<pre style="font-size: 12px">users = User.where(:name => "david").limit(20) users = users.where("age > 29")

  1. SELECT * FROM users
  2. WHERE name = “david” AND age > 29
  3. ORDER BY name
  4. LIMIT 20
    users.order(:name).each { |user| puts user.name }

Read more in new Active Record guide and watch the Dive into Rails 3: ARel video.

New router for Action Controller
When we switched to a REST-based approach for controllers in Rails 2, we patched on the syntax to the existing router while we were waiting to see if the experiment panned out.

It did and for Rails 3 we’ve gone back and revamped the syntax completely to favor the REST style with less noise and more flexibility:

<pre style="font-size: 12px">resources :people do resource :avatar

collection do get :winners, :losers end

end

  1. /sd34fgh/rooms
    scope ‘:token’, :token => /\w{5,5}/ do
    resources :rooms
    end
  1. /descriptions
  2. /pl/descriptions
  3. /en/descriptions
    scope ‘(:locale)’, :locale => /en|pl/ do
    resources :descriptions
    root :to => ‘projects#index’
    end

Read more in the new routing guide.

New Action Mailer
Action Mailer was born with a split-personality of half model, half controller. In Rails 3, we’ve made the choice to make it all controller. This means that the feel and functionality will be much closer to Action Controller and in fact they now share a bunch of underlying code. Here’s a taste of what it looks like now:

<pre style="font-size: 12px">class Notifier < ActionMailer::Base default :from => "Highrise <system@#{APPLICATION_DOMAIN}>"

def new_project(digest, project, person) @digest, @project, @person = digest, project, person attachments[‘digest.pdf’] = digest.to_pdf attachments[‘logo.jpg’] = File.read(project.logo_path) mail( :subject => “Your digest for #{project.name}”, :to => person.email_address_with_name ) do |format| format.text { render :text => “Something texty” } format.html { render :text => “Something texty” } end end

end

The new Action Mailer is built on top of the new Mail gem as well. Say goodbye to TMail headaches.

Read more in new Action Mailer guide.

Manage dependencies with Bundler
Managing all the dependencies of a Rails application has long been a hassle of patchworks. We had config.gem, Capistrano externals, custom rake setup tasks, and other incomplete solutions.

Bundler cleans all that up and allows you to specify the libraries, frameworks, and plugins that your application depends on. All Rails 3 applications are born with a Gemfile to control it all. See more on the Bundler site.

XSS protection by default
The internet is a scary place and Rails 3 is watching out for you by default. We’ve had CRSF protection with form signing for a while and SQL-injection protection since the beginning, but Rails 3 ups the anté with XSS protection as well (hat tip to Django for convincing us).

See the Railscast on XSS video and the Dive into Rails 3: Cross-site scripting video for more.

Say goodbye to encoding issues
If you browse the Internet with any frequency, you will likely encounter the &#xFFFD; character. This problem is extremely pervasive, and is caused by mixing and matching content with different encodings.

In a system like Rails, content comes from the database, your templates, your source files, and from the user. Ruby 1.9 gives us the raw tools to eliminate these problems, and in combination with Rails 3, &#xFFFD; should be a thing of the past in Rails applications. Never struggle with corrupted data pasted by a user from Microsoft Word again!

Active Model: Validations, callbacks, etc for all models
We’ve extracted quite a bit of commonly requested Active Record components into the new Active Model framework. This allows an ORM like Mongoid to use Active Record’s validations, callbacks, serialization, and i18n support.

Additionally, in the rewrite of Action Controller, we removed any direct references to Active Record, defining a clean, simple API that ORMs can implement. If you use an API-compliant ORM (like DataMapper, Sequel, or Mongoid), you will be able to use features like form_for, link_to and redirect_to with objects from those ORMs without any additional work.

Official plugin APIs
We also rewrote Railties with the express goal of using the new plugin API for all Rails frameworks like Active Record and Action Mailer. This means that Rails plugins like the ones for DataMapper and RSpec have access to all of the integration as the built-in support for Active Record and Test::Unit.

The new Railtie API makes it possible to modify the built-in generators, add rake tasks, configure default Rails options, and specify code to run as early, or as late as you need. Rails plugins like Devise were able to add much better integration in the Rails 3 version of their plugin. Expect to see a lot more of that in the months ahead.

Rewritten internals
We rewrote the internals of Action Pack and Railties, making them much more flexible and easier to extend. Instead of a single monolithic ActionController::Base, Rails 3 exposes a number of modules, each with defined APIs, that you can mix and match to create special-purpose controllers for your own use. Both Action Mailer in Rails and the Cells project make heavy use of this new functionality.

You can also take a look a this blog post by Yehuda (from last year) to see how the new architecture makes it easy to implement Django-style generic actions in Rails by leveraging Rack and ActionController::Metal.

The Rails generator system is got a revamp as well. Instead of monolithic generators that know about all of the Rails frameworks, each generator calls a series of hooks, such as :test_framework and :orm, that plugins can register handlers for. This means that generating a scaffold when using rSpec, DataMapper and Haml will generate a scaffold customized for those plugins.

Agnosticism with jQuery, rSpec, and Data Mapper
The rewritten internals and the new plugin APIs have brought true agnosticism to Rails 3 for all components of the framework. Prefer DataMapper to Active Record? No problem. Want to use jQuery instead of Prototype? Go ahead. Eager to test with rSpec instead of test/unit? You got it.

It’s never been easier to Have It Your Way™ with Rails 3. And at the same time, we’ve made that happen without making using the excellent default stack any more complicated.

Documentation
Rails 3 has had a long development cycle and while that might have lead to some impatience, it has also given book and tutorial authors a chance to catch up and be ready. There’s a wealth of great Rails 3 documentation available already and more is coming shortly.

The Agile Web Development with Rails 4th Ed book is almost ready and there are plenty more books coming. Check out all the new guides, the new official videos, new Railscasts, and a new tutorial. See the recent recap of documentation sources for more.

Installation
gem install rails --version 3.0.0.

We also have a Rails v3.0.0 tag and a 3-0-stable branch.

Rails 3.0 has been designed to work with Ruby 1.8.7, Ruby 1.9.2, and JRuby 1.5.2+.

Gratitude and next steps
I’m personally incredibly proud of this release. I’ve been working on Rails for more than 7 years and the quality of the framework we have today is just astounding. This is only possible as a community effort and Rails 3 has seen so many incredible developers step up and help make this our best release ever (wink). Many thanks to all of you.

We’ll continue to develop Rails 3.0 with fixes and tweaks via the stable branch and Rails 3.1 is already cooking on master.

UPDATE: We’re raising money for Charity:Water in the name of Rails 3.0. Please donate and help us bring clean water to 5,000 people in the name of the Rails community.